Search criteria
2 vulnerabilities by probot
CVE-2023-50728 (GCVE-0-2023-50728)
Vulnerability from cvelistv5 – Published: 2023-12-15 21:59 – Updated: 2024-08-02 22:16
VLAI?
Summary
octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.
Severity ?
5.4 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octokit | webhooks.js |
Affected:
>= 9.26.0, < 9.26.3
Affected: >= 10.9.0, < 10.9.2 Affected: >= 11.1.0, < 11.1.2 Affected: >= 12.0.0, < 12.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
},
{
"name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
},
{
"name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
},
{
"name": "https://github.com/probot/probot/releases/tag/v12.3.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/probot/probot/releases/tag/v12.3.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "webhooks.js",
"vendor": "octokit",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.26.0, \u003c 9.26.3"
},
{
"status": "affected",
"version": "\u003e= 10.9.0, \u003c 10.9.2"
},
{
"status": "affected",
"version": "\u003e= 11.1.0, \u003c 11.1.2"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T21:59:00.312Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
},
{
"name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
},
{
"name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
},
{
"name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
},
{
"name": "https://github.com/probot/probot/releases/tag/v12.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/probot/probot/releases/tag/v12.3.3"
}
],
"source": {
"advisory": "GHSA-pwfr-8pq7-x9qv",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Denial of Service in the octokit/webhooks library"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50728",
"datePublished": "2023-12-15T21:59:00.312Z",
"dateReserved": "2023-12-11T17:53:36.032Z",
"dateUpdated": "2024-08-02T22:16:47.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26918 (GCVE-0-2021-26918)
Vulnerability from cvelistv5 – Published: 2021-02-09 02:07 – Updated: 2024-08-03 20:33
VLAI?
Summary
The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the "Send an image when a user joins the server" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states "This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won't compromise either the client side or the server side.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:probot:bot:2021-02-08:*:*:*:*:discord:*:*"
],
"defaultStatus": "unknown",
"product": "bot",
"vendor": "probot",
"versions": [
{
"status": "affected",
"version": "2021-02-08"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-26918",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T15:08:56.785244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:20.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the \"Send an image when a user joins the server\" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states \"This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\u0027t compromise either the client side or the server side."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-16T20:42:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-26918",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the \"Send an image when a user joins the server\" feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states \"This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\u0027t compromise either the client side or the server side.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt",
"refsource": "MISC",
"url": "https://raw.githubusercontent.com/TheLastVvV/Vulnerability-Reports-and-CVE/main/Reports/Discord%20Probot%20-%20Unrestricted%20File%20Upload.txt"
},
{
"name": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161347/Discord-Probot-Arbitrary-File-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-26918",
"datePublished": "2021-02-09T02:07:20",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}